A page for randomness

Well as GK has informed me, the new alumni database for LSMSA stores their passwords in plaintext. He found out from an error when updating his profile information and could actually see the SQL query. So I decided to go check the site out and see if I could do any SQL injection. I ended up screwing my profile page over, so now I can’t update anything. I also managed to get a few more injections to work, but I wasn’t able to see GK’s password because of how the query was structured. However, that doesn’t mean this site is secure.

After learning this information, I’ve changed my password to something pretty random, so that I won’t be the victim of some exploit.

Trackback This Post | Subscribe to the comments through RSS Feed